devise_security_extension 0.9.2 → 0.10.0

data/Rakefile

@@ -1,39 +1,23 @@
+$:.unshift File.join(File.dirname(__FILE__), 'lib')
 require 'rubygems'
 require 'bundler'
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
-require 'rake'
+require 'rake/testtask'
+require 'rdoc/task'
+require 'devise_security_extension/version'
 
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
-  gem.name = "devise_security_extension"
-  gem.homepage = "http://github.com/phatworx/devise_security_extension"
-  gem.license = "MIT"
-  gem.summary = %Q{Security extension for devise}
-  gem.description = %Q{An enterprise security extension for devise, trying to meet industrial standard security demands for web applications.}
-  gem.email = "team@phatworx.de"
-  gem.authors = ["Marco Scholl", "Alexander Dreher"]
-end
-Jeweler::RubygemsDotOrgTasks.new
+desc 'Default: Run DeviseSecurityExtension unit tests'
+task default: :test
 
-require 'rake/testtask'
-Rake::TestTask.new(:test) do |test|
-  test.libs << 'lib' << 'test'
-  test.pattern = 'test/**/test_*.rb'
-  test.verbose = true
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.test_files = FileList['test/*test*.rb']
+  t.verbose = true
+  t.warning = false
 end
 
-task :default => :test
-
-require 'rdoc/task'
 Rake::RDocTask.new do |rdoc|
-  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+  version = DeviseSecurityExtension::VERSION.dup
 
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title = "devise_security_extension #{version}"

data/app/controllers/devise/paranoid_verification_code_controller.rb

@@ -0,0 +1,42 @@
+class Devise::ParanoidVerificationCodeController < DeviseController
+  skip_before_filter :handle_paranoid_verification
+  prepend_before_filter :authenticate_scope!, :only => [:show, :update]
+
+  def show
+    if !resource.nil? && resource.need_paranoid_verification?
+      respond_with(resource)
+    else
+      redirect_to :root
+    end
+  end
+
+  def update
+    if resource.verify_code(resource_params[:paranoid_verification_code])
+      warden.session(scope)['paranoid_verify'] = false
+      set_flash_message :notice, :updated
+      sign_in scope, resource, :bypass => true
+      redirect_to stored_location_for(scope) || :root
+    else
+      respond_with(resource, action: :show)
+    end
+  end
+
+  private
+
+  def resource_params
+    if params.respond_to?(:permit)
+      params.require(resource_name).permit(:paranoid_verification_code)
+    else
+      params[scope].slice(:paranoid_verification_code)
+    end
+  end
+
+  def scope
+    resource_name.to_sym
+  end
+
+  def authenticate_scope!
+    send(:"authenticate_#{resource_name}!")
+    self.resource = send("current_#{resource_name}")
+  end
+end

data/app/controllers/devise/password_expired_controller.rb

@@ -1,13 +1,10 @@
 class Devise::PasswordExpiredController < DeviseController
   skip_before_filter :handle_password_change
+  before_filter :skip_password_change, only: [:show, :update]
   prepend_before_filter :authenticate_scope!, :only => [:show, :update]
 
   def show
-    if not resource.nil? and resource.need_change_password?
-      respond_with(resource)
-    else
-      redirect_to :root
-    end
+    respond_with(resource)
   end
 
   def update
@@ -24,9 +21,21 @@ class Devise::PasswordExpiredController < DeviseController
   end
 
   private
-    def resource_params
-      params.require(resource_name).permit(:current_password, :password, :password_confirmation)
+
+  def skip_password_change
+    return if !resource.nil? && resource.need_change_password?
+    redirect_to :root
+  end
+
+  def resource_params
+    permitted_params = [:current_password, :password, :password_confirmation]
+
+    if params.respond_to?(:permit)
+      params.require(resource_name).permit(*permitted_params)
+    else
+      params[scope].slice(*permitted_params)
     end
+  end
 
   def scope
     resource_name.to_sym

data/app/views/devise/paranoid_verification_code/show.html.erb

@@ -0,0 +1,10 @@
+<h2>Submit verification code</h2>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :paranoid_verification_code], :html => { :method => :put }) do |f| %>
+  <%= devise_error_messages! %>
+
+  <p><%= f.label :paranoid_verification_code, 'Verification code' %><br />
+  <%= f.text_field :paranoid_verification_code, value: '' %></p>
+
+  <p><%= f.submit "Submit" %></p>
+<% end %>

data/config/locales/de.yml

@@ -6,6 +6,8 @@ de:
       password_format: "müssen große, kleine Buchstaben und Ziffern enthalten"
   devise:
     invalid_captcha: "Die Captchaeingabe ist nicht gültig!"
+    paranoid_verify:
+      code_required: "Bitte geben Sie den Code unser Support-Team zur Verfügung gestellt"
     password_expired:
       updated: "Das neue Passwort wurde übernommen."
       change_required: "Ihr Passwort ist abgelaufen. Bitte vergeben sie ein neues Passwort!"

data/config/locales/en.yml

@@ -1,14 +1,16 @@
 en:
   errors:
     messages:
-      taken_in_past: "was already taken in the past!"
-      equal_to_current_password: "must be different to the current password!"
+      taken_in_past: "was used previously."
+      equal_to_current_password: "must be different than the current password."
       password_format: "must contain big, small letters and digits"
   devise:
-    invalid_captcha: "The captcha input is not valid!"
+    invalid_captcha: "The captcha input was invalid."
+    paranoid_verify:
+      code_required: "Please enter the code our support team provided"
     password_expired:
       updated: "Your new password is saved."
-      change_required: "Your password is expired. Please renew your password!"
+      change_required: "Your password is expired. Please renew your password."
     failure:
       session_limited: 'Your login credentials were used in another browser. Please sign in again to continue in this browser.'
       expired: 'Your account has expired due to inactivity. Please contact the site administrator.'

data/config/locales/it.yml

@@ -0,0 +1,10 @@
+it:
+  errors:
+    messages:
+      taken_in_past: "e' stata gia' utilizzata in passato!"
+      equal_to_current_password: " deve essere differente dalla password corrente!"
+  devise:
+    invalid_captcha: "Il captcha inserito non e' valido!"
+    password_expired:
+      updated: "La tua nuova password e' stata salvata."
+      change_required: "La tua password e' scaduta. Si prega di rinnovarla!"

data/devise_security_extension.gemspec

@@ -1,111 +1,31 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: devise_security_extension 0.8.3 ruby lib
+$LOAD_PATH.unshift(File.expand_path('../lib', __FILE__))
+require 'devise_security_extension/version'
 
 Gem::Specification.new do |s|
-  s.name = "devise_security_extension"
-  s.version = "0.9.2"
+  s.name = 'devise_security_extension'
+  s.version     = DeviseSecurityExtension::VERSION.dup
+  s.platform    = Gem::Platform::RUBY
+  s.licenses    = ['MIT']
+  s.summary     = 'Security extension for devise'
+  s.email       = 'team@phatworx.de'
+  s.homepage    = 'https://github.com/phatworx/devise_security_extension'
+  s.description = 'An enterprise security extension for devise, trying to meet industrial standard security demands for web applications.'
+  s.authors     = ['Marco Scholl', 'Alexander Dreher']
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.require_paths = ["lib"]
-  s.authors = ["Marco Scholl", "Alexander Dreher"]
-  s.date = "2015-04-02"
-  s.description = "An enterprise security extension for devise, trying to meet industrial standard security demands for web applications."
-  s.email = "team@phatworx.de"
-  s.extra_rdoc_files = [
-    "LICENSE.txt",
-    "README.md"
-  ]
-  s.files = [
-    ".document",
-    "Gemfile",
-    "Gemfile.lock",
-    "LICENSE.txt",
-    "README.md",
-    "Rakefile",
-    "VERSION",
-    "app/controllers/devise/password_expired_controller.rb",
-    "app/views/devise/password_expired/show.html.erb",
-    "config/locales/de.yml",
-    "config/locales/en.yml",
-    "devise_security_extension.gemspec",
-    "lib/devise_security_extension.rb",
-    "lib/devise_security_extension/controllers/helpers.rb",
-    "lib/devise_security_extension/hooks/expirable.rb",
-    "lib/devise_security_extension/hooks/password_expirable.rb",
-    "lib/devise_security_extension/hooks/session_limitable.rb",
-    "lib/devise_security_extension/models/expirable.rb",
-    "lib/devise_security_extension/models/old_password.rb",
-    "lib/devise_security_extension/models/password_archivable.rb",
-    "lib/devise_security_extension/models/password_expirable.rb",
-    "lib/devise_security_extension/models/secure_validatable.rb",
-    "lib/devise_security_extension/models/security_question.rb",
-    "lib/devise_security_extension/models/security_questionable.rb",
-    "lib/devise_security_extension/models/session_limitable.rb",
-    "lib/devise_security_extension/orm/active_record.rb",
-    "lib/devise_security_extension/models/database_authenticatable_patch.rb",
-    "lib/devise_security_extension/patches.rb",
-    "lib/devise_security_extension/patches/confirmations_controller_captcha.rb",
-    "lib/devise_security_extension/patches/confirmations_controller_security_question.rb",
-    "lib/devise_security_extension/patches/passwords_controller_captcha.rb",
-    "lib/devise_security_extension/patches/passwords_controller_security_question.rb",
-    "lib/devise_security_extension/patches/registrations_controller_captcha.rb",
-    "lib/devise_security_extension/patches/sessions_controller_captcha.rb",
-    "lib/devise_security_extension/patches/unlocks_controller_captcha.rb",
-    "lib/devise_security_extension/patches/unlocks_controller_security_question.rb",
-    "lib/devise_security_extension/rails.rb",
-    "lib/devise_security_extension/routes.rb",
-    "lib/devise_security_extension/schema.rb",
-    "lib/generators/devise_security_extension/install_generator.rb",
-    "test/dummy/app/models/.gitkeep",
-    "test/dummy/app/models/user.rb",
-    "test/dummy/config.ru",
-    "test/dummy/config/application.rb",
-    "test/dummy/config/boot.rb",
-    "test/dummy/config/database.yml",
-    "test/dummy/config/environment.rb",
-    "test/dummy/config/environments/test.rb",
-    "test/dummy/config/initializers/devise.rb",
-    "test/dummy/db/migrate/20120508165529_create_tables.rb",
-    "test/helper.rb",
-    "test/test_devise_security_extension.rb",
-    "test/test_password_archivable.rb"
-  ]
-  s.homepage = "http://github.com/phatworx/devise_security_extension"
-  s.licenses = ["MIT"]
-  s.rubygems_version = "2.2.2"
-  s.summary = "Security extension for devise"
+  s.rubyforge_project = 'devise_security_extension'
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 4
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- test/*`.split("\n")
+  s.require_paths = ['lib']
+  s.required_ruby_version = '>= 1.9.3'
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rails>, [">= 3.1.1"])
-      s.add_runtime_dependency(%q<devise>, [">= 2.0.0"])
-      s.add_development_dependency(%q<rails_email_validator>, [">= 0"])
-      s.add_development_dependency(%q<easy_captcha>, [">= 0"])
-      s.add_development_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_development_dependency(%q<jeweler>, ["~> 2.0.1"])
-      s.add_development_dependency(%q<sqlite3>, [">= 0"])
-    else
-      s.add_dependency(%q<rails>, [">= 3.1.1"])
-      s.add_dependency(%q<devise>, [">= 2.0.0"])
-      s.add_dependency(%q<rails_email_validator>, [">= 0"])
-      s.add_dependency(%q<easy_captcha>, [">= 0"])
-      s.add_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_dependency(%q<jeweler>, ["~> 2.0.1"])
-      s.add_dependency(%q<sqlite3>, [">= 0"])
-    end
-  else
-    s.add_dependency(%q<rails>, [">= 3.1.1"])
-    s.add_dependency(%q<devise>, [">= 2.0.0"])
-    s.add_dependency(%q<rails_email_validator>, [">= 0"])
-    s.add_dependency(%q<easy_captcha>, [">= 0"])
-    s.add_dependency(%q<bundler>, [">= 1.0.0"])
-    s.add_dependency(%q<jeweler>, ["~> 2.0.1"])
-    s.add_dependency(%q<sqlite3>, [">= 0"])
-  end
+  s.add_runtime_dependency 'railties', '>= 3.2.6', '< 5.0'
+  s.add_runtime_dependency 'devise', '>= 3.0.0', '< 4.0'
+  s.add_development_dependency 'bundler', '>= 1.3.0', '< 2.0'
+  s.add_development_dependency 'sqlite3', '~> 1.3.10'
+  s.add_development_dependency 'rubocop', '~> 0'
+  s.add_development_dependency 'minitest'
+  s.add_development_dependency 'easy_captcha', '~> 0'
+  s.add_development_dependency 'rails_email_validator', '~> 0'
 end
-

data/lib/devise_security_extension.rb

@@ -14,7 +14,7 @@ module Devise
   mattr_accessor :password_regex
   @@password_regex = /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
 
-  # How often save old passwords in archive
+  # Number of old passwords in archive
   mattr_accessor :password_archiving_count
   @@password_archiving_count = 5
 
@@ -62,11 +62,19 @@ module Devise
   mattr_accessor :captcha_for_confirmation
   @@captcha_for_confirmation = false
 
+  # captcha integration for confirmation form
+  mattr_accessor :verification_code_generator
+  @@verification_code_generator = -> { SecureRandom.hex[0..4] }
+
   # Time period for account expiry from last_activity_at
   mattr_accessor :expire_after
   @@expire_after = 90.days
   mattr_accessor :delete_expired_after
   @@delete_expired_after = 90.days
+
+  # paranoid_verification will regenerate verifacation code after faild attempt
+  mattr_accessor :paranoid_code_regenerate_after_attempt
+  @@paranoid_code_regenerate_after_attempt = 10
 end
 
 # an security extension for devise
@@ -80,17 +88,19 @@ module DeviseSecurityExtension
 end
 
 # modules
-Devise.add_module :password_expirable, :controller => :password_expirable, :model => 'devise_security_extension/models/password_expirable', :route => :password_expired
-Devise.add_module :secure_validatable, :model => 'devise_security_extension/models/secure_validatable'
-Devise.add_module :password_archivable, :model => 'devise_security_extension/models/password_archivable'
-Devise.add_module :session_limitable, :model => 'devise_security_extension/models/session_limitable'
-Devise.add_module :expirable, :model => 'devise_security_extension/models/expirable'
-Devise.add_module :security_questionable, :model => 'devise_security_extension/models/security_questionable'
+Devise.add_module :password_expirable, controller: :password_expirable, model: 'devise_security_extension/models/password_expirable', route: :password_expired
+Devise.add_module :secure_validatable, model: 'devise_security_extension/models/secure_validatable'
+Devise.add_module :password_archivable, model: 'devise_security_extension/models/password_archivable'
+Devise.add_module :session_limitable, model: 'devise_security_extension/models/session_limitable'
+Devise.add_module :session_non_transferable, model: 'devise_security_extension/models/session_non_transferable'
+Devise.add_module :expirable, model: 'devise_security_extension/models/expirable'
+Devise.add_module :security_questionable, model: 'devise_security_extension/models/security_questionable'
+Devise.add_module :paranoid_verification, controller: :paranoid_verification_code, model: 'devise_security_extension/models/paranoid_verification', route: :verification_code
 
 # requires
 require 'devise_security_extension/routes'
 require 'devise_security_extension/rails'
 require 'devise_security_extension/orm/active_record'
 require 'devise_security_extension/models/old_password'
-require 'devise_security_extension/models/security_question'
 require 'devise_security_extension/models/database_authenticatable_patch'
+require 'devise_security_extension/models/paranoid_verification'

data/lib/devise_security_extension/controllers/helpers.rb

@@ -5,13 +5,14 @@ module DeviseSecurityExtension
 
       included do
         before_filter :handle_password_change
+        before_filter :handle_paranoid_verification
       end
-      
+
       module ClassMethods
         # helper for captcha
         def init_recover_password_captcha
           include RecoverPasswordCaptcha
-        end        
+        end
       end
 
       module RecoverPasswordCaptcha
@@ -26,11 +27,33 @@ module DeviseSecurityExtension
 
         # lookup if an password change needed
         def handle_password_change
+          return if warden.nil?
+
           if not devise_controller? and not ignore_password_expire? and not request.format.nil? and request.format.html?
             Devise.mappings.keys.flatten.any? do |scope|
               if signed_in?(scope) and warden.session(scope)['password_expired']
-                session["#{scope}_return_to"] = request.path if request.get?
-                redirect_for_password_change scope
+                # re-check to avoid infinite loop if date changed after login attempt
+                if send(:"current_#{scope}").try(:need_change_password?)
+                  session["#{scope}_return_to"] = request.original_fullpath if request.get?
+                  redirect_for_password_change scope
+                  return
+                else
+                  warden.session(scope)[:password_expired] = false
+                end
+              end
+            end
+          end
+        end
+
+        # lookup if extra (paranoid) code verification is needed
+        def handle_paranoid_verification
+          return if warden.nil?
+
+          if !devise_controller? && !request.format.nil? && request.format.html?
+            Devise.mappings.keys.flatten.any? do |scope|
+              if signed_in?(scope) && warden.session(scope)['paranoid_verify']
+                session["#{scope}_return_to"] = request.original_fullpath if request.get?
+                redirect_for_paranoid_verification scope
                 return
               end
             end
@@ -42,15 +65,25 @@ module DeviseSecurityExtension
           redirect_to change_password_required_path_for(scope), :alert => I18n.t('change_required', {:scope => 'devise.password_expired'})
         end
 
+        def redirect_for_paranoid_verification(scope)
+          redirect_to paranoid_verification_code_path_for(scope), :alert => I18n.t('code_required', {:scope => 'devise.paranoid_verify'})
+        end
+
         # path for change password
         def change_password_required_path_for(resource_or_scope = nil)
           scope       = Devise::Mapping.find_scope!(resource_or_scope)
           change_path = "#{scope}_password_expired_path"
           send(change_path)
         end
-        
+
+        def paranoid_verification_code_path_for(resource_or_scope = nil)
+          scope       = Devise::Mapping.find_scope!(resource_or_scope)
+          change_path = "#{scope}_paranoid_verification_code_path"
+          send(change_path)
+        end
+
         protected
-        
+
         # allow to overwrite for some special handlings
         def ignore_password_expire?
           false